The moment you add a second person to client performance work, access stops being optional. If everyone signs in with the same credentials, you cannot tell who changed a budget, who ran a discovery job, or who should receive renewal mail. A separate login for every subcontractor means more password resets and no shared view of the portfolio.
Apogee Watcher uses three roles per organisation so delivery staff, leadership, and read-only stakeholders each get the access they need without sharing one password.
If you are new to how sites are grouped, start with the spotlight on managing multiple client sites in one dashboard. Roles apply on top of that structure: one login, many organisations, and permissions that follow the workspace you have selected.
Why shared passwords fail agencies
Agencies routinely need three different people in the same monitoring data:
A delivery lead who adds sites, tunes schedules, and fixes budgets after a deploy.
An account or leadership contact who cares about billing, plan limits, and who is on the team.
A client or auditor who should see trends and exports but must not reconfigure alerts or delete pages.
A single shared password collapses those jobs into one identity. You hear “someone changed the mobile budget” with no trail, and you hesitate to invite a client because they might change the wrong setting. You need a way to separate who can view data from who can change it, and who owns billing from who runs day-to-day monitoring, without opening a new product account for every person.
Three roles per organisation
Every member is attached to an organisation (your workspace for a client or your own agency) with one of three roles. The same person can belong to more than one organisation with different roles in each.
Admin
Organisation admins handle membership and subscription ownership. Only admins hold the paid subscription for that workspace. They can invite admins, managers, or viewers, change another member’s role, and remove access when someone leaves the project.
Admins can also create and edit sites, pages, budgets, and schedules in that organisation, within your plan limits. If the subscription lapses, read-only mode applies to admins too (see below).
Manager
Managers are the default delivery role. They can create and edit monitored sites, run discoveries, adjust budgets, and work through test history for every property in the organisation they belong to.
Managers can invite viewers only. They cannot promote someone to manager or admin, and they cannot edit another manager’s or admin’s membership. That lets you hire contractors for implementation work without handing them billing or team administration.
Viewer
Viewers are read-only inside the app. They can open dashboards, site lists, test results, and exports so they can follow a retainer or audit a report. They cannot create sites, change budgets, run discoveries, or invite users.
Use viewers for client stakeholders, finance reviewers, or junior staff who need visibility without configuration rights. The team roles and access feature page shows the same breakdown for people evaluating Watcher before they sign up.
What each role can do (summary)
| Area | Admin | Manager | Viewer |
|---|
| View sites, tests, budgets, alerts | Yes | Yes | Yes |
| Create or edit sites, pages, budgets, schedules | Yes | Yes | No |
| Invite or change team members | Yes (any role) | Yes (viewers only) | No |
| Billing and subscription | Yes (subscription holder) | No | No |
Permissions apply per organisation. A manager on Client A’s workspace has no access to Client B’s sites unless they are also a member of Client B’s organisation.
Organisation switching without extra logins
Apogee Watcher is built for many organisations under one login. After you sign in, you work inside the organisation you have selected. When you switch organisation, the sites, team list, and usage counters you see change to match that workspace.
That matters when you run a separate workspace per client. Developers can be managers on delivery organisations while a founder stays admin on the agency’s own organisation. You are not maintaining five email aliases for five PageSpeed tools; you assign roles inside each workspace.
Inviting someone without over-sharing
Team management is listed under Team Members in the app. The flow is email-based:
An admin or manager on a paid plan adds a person by email and chooses a role.
The invitee accepts and receives access only to organisations where they were added.
Their role applies immediately for that organisation.
Admins can assign admin, manager, or viewer. Managers can assign viewer only. Viewers cannot invite anyone.
On the Free plan, you cannot invite colleagues: the product works for one person until you upgrade. Paid plans let you add members according to plan limits; many agency tiers include unlimited team seats. Check pricing before you tell a client how many seats they will need.
Read-only mode when the subscription lapses
Roles control what a person may do when the organisation is active. Read-only mode is separate: it applies to everyone in an organisation when no admin there has an active subscription.
In read-only mode you can still sign in and review historical tests, dashboards, and settings. You cannot create or edit sites, change budgets, invite users, or delete monitoring data. The banner message differs slightly: admins see a renewal prompt; managers and viewers see that an organisation admin must renew.
Your data stays visible, but it is clear why Save and other edit actions are disabled. A freelancer who still has manager access cannot change live monitoring after you cancel the plan, because the organisation stays read-only until an admin’s subscription is active again.
How roles fit common agency workflows
Delivery and DevOps
Managers run the weekly loop from the Core Web Vitals monitoring checklist for agencies: confirm schedules, scan failed runs, adjust budgets after releases. Admins back them up when a new client workspace is needed or when someone must be promoted to manager after a team change.
Account and client visibility
Invite the client as a viewer when you want them inside the same charts you use, not a forwarded PDF every month. Pair that with your reporting rhythm from monthly performance review template for agency teams. Viewers see the same numbers; you keep control of thresholds and alert channels.
If you need a branded PDF instead of in-app access, white-label reporting is a separate track (white-label performance reports). Roles and white-label solve different problems: ongoing in-app visibility versus packaged deliverables.
Scaling headcount
When you add sites faster than you add people, roles stop a new hire from becoming admin on every client by default. You can give a contractor manager access on one organisation only, while leadership keeps admin on billing organisations. See how to build a performance-first agency culture for the wider habits; matching permissions to job titles makes those habits easier to keep.
What roles do not replace
Roles are not a substitute for client contracts or formal compliance programmes. They do not record every click in a separate security logging tool. They are practical permissions for a monitoring product: the right people can do their job, and others cannot change settings they should not touch.
Roles also do not bypass Google’s API quotas or your plan’s site and test limits. An admin still shares the organisation’s allowance; viewers do not consume extra tests by browsing history.
Getting started with a sensible default
Name organisations the way your team already talks about clients, not internal ticket codes.
Keep one or two admins per org for billing and membership; avoid making every developer an admin “just in case”.
Use managers for anyone who changes monitoring setup weekly.
Add viewers for clients and internal reviewers who only need read access.
Review membership when a retainer ends; deactivate or remove users so the team list matches reality.
After roles are in place, set up automated page discovery and performance budgets with email alerts so invited colleagues have test history and thresholds to review.
Summary
Each organisation gets admins, managers, and viewers with clear boundaries: billing and membership for admins, delivery work for managers, read-only access for viewers. Invites grant only the role you choose, organisation switching keeps multi-client work on one login, and read-only mode keeps data visible when a subscription ends.
Start with a free account to create an organisation and explore the dashboard solo; upgrade when you are ready to invite managers and viewers.
FAQ
Can one user be an admin on one client org and a viewer on another?
Yes. Roles are stored per organisation membership. Switch organisation in the app to see the matching sites and permissions.
Can a manager invite another manager?
No. Managers can invite viewers only. Admins assign manager or admin roles.
What happens if we downgrade to Free?
You cannot invite anyone on the Free plan. Existing members may still be able to sign in under current product rules, but you cannot add or change team members until you upgrade. Site and test limits follow the Free tier as well.
Do viewers count against team member limits?
Plan limits apply to team members as defined on pricing. Many paid tiers include unlimited members; check your tier before large invites.
Is read-only mode the same as the viewer role?
No. Viewers are read-only by role. Read-only mode is an organisation-wide state when subscription billing is inactive. Admins and managers become read-only too until an admin renews.
Where is API access controlled?
API keys and quota visibility are documented on API access and quota visibility. Organisation admins still decide who should receive credentials outside the app; treat keys with the same care as production deploy keys.